{{- if .Values.nodeManager.internal.capiControllerManagerEnabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "app" "capi-controller-manager")) | nindent 2 }}
  name: capi-controller-manager:leader-election-role
  namespace: d8-cloud-instance-manager
rules:
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
---
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        cluster.x-k8s.io/aggregate-to-manager: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "app" "capi-controller-manager")) | nindent 2 }}
  name: d8:node-manager:capi-controller-manager:aggregated-manager-role
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "app" "capi-controller-manager")) | nindent 2 }}
  name: d8:node-manager:capi-controller-manager:manager-role
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - addons.cluster.x-k8s.io
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - addons.cluster.x-k8s.io
    resources:
      - clusterresourcesets/finalizers
      - clusterresourcesets/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - bootstrap.cluster.x-k8s.io
      - controlplane.cluster.x-k8s.io
      - infrastructure.cluster.x-k8s.io
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - bootstrap.cluster.x-k8s.io
      - infrastructure.cluster.x-k8s.io
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - clusterclasses
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - clusterclasses
      - clusterclasses/status
    verbs:
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - clusters
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - clusters
      - clusters/finalizers
      - clusters/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - clusters
      - clusters/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machinedeployments
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machinedeployments
      - machinedeployments/finalizers
    verbs:
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machinedeployments
      - machinedeployments/finalizers
      - machinedeployments/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machinehealthchecks
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machinehealthchecks
      - machinehealthchecks/finalizers
      - machinehealthchecks/status
    verbs:
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machinepools
      - machinepools/finalizers
      - machinepools/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machines
      - machines/finalizers
      - machines/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machines
      - machines/status
    verbs:
      - delete
      - get
      - list
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machinesets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machinesets
      - machinesets/finalizers
    verbs:
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - cluster.x-k8s.io
    resources:
      - machinesets
      - machinesets/finalizers
      - machinesets/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - patch
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - get
      - list
      - patch
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - ""
    resources:
      - pods/eviction
    verbs:
      - create
  - apiGroups:
      - "apps"
    resources:
      - daemonsets
    verbs:
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - watch
  - apiGroups:
      - ipam.cluster.x-k8s.io
    resources:
      - ipaddressclaims
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - runtime.cluster.x-k8s.io
    resources:
      - extensionconfigs
      - extensionconfigs/status
    verbs:
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    {{- include "helm_lib_module_labels" (list . (dict "app" "capi-controller-manager")) | nindent 2 }}
  name: capi-controller-manager:leader-election-rolebinding
  namespace: d8-cloud-instance-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: capi-controller-manager:leader-election-role
subjects:
  - kind: ServiceAccount
    name: capi-controller-manager
    namespace: d8-cloud-instance-manager
  - kind: ServiceAccount
    name: capi-cloud-cluster-controller-manager
    namespace: d8-cloud-instance-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "app" "capi-controller-manager")) | nindent 2 }}
  name: d8:node-manager:capi-controller-manager:aggregated-manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: d8:node-manager:capi-controller-manager:aggregated-manager-role
subjects:
  - kind: ServiceAccount
    name: capi-controller-manager
    namespace: d8-cloud-instance-manager
  - kind: ServiceAccount
    name: capi-cloud-cluster-controller-manager
    namespace: d8-cloud-instance-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "app" "capi-controller-manager")) | nindent 2 }}
  name: d8:node-manager:capi-controller-manager:manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: d8:node-manager:capi-controller-manager:manager-role
subjects:
  - kind: ServiceAccount
    name: capi-controller-manager
    namespace: d8-cloud-instance-manager
  - kind: User
    name: capi-controller-manager
  - kind: ServiceAccount
    name: capi-cloud-cluster-controller-manager
    namespace: d8-cloud-instance-manager
  - kind: User
    name: capi-cloud-cluster-controller-manager
{{- end }}
